Ruby on Rails vulnerable to mass assignment and SQL injection

Ruby on Rails vulnerable to mass assignment and SQL injection During the last weeks Ruby on Rails has been hit by several security vulnerabilites. As with all bigger open source projects, it is up to the community to spot and fix such issues. Last week I notified the Ruby on Rails security team about a huge vulnerability that I spotted in the latest stable release of Rails and its related gems. As a result the Rails core team published a security advisory today, urging users to upgrade the json gem to the latest stable release. Here’s the gist: The default JSON parser can be used to inject malicious objects into the params hash of a Rails application. This allows for tampering with ActiveRecord::Base functionality like dynamic finders and attribute assignment, eventually leading to mass assignment of blacklisted attributes or even SQL injection. Besides deserializing simpl...